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(57) ABSTRACT 

A secure network file access appliance supports the secure 
access and transfer of data between the file system of a client 
computer system and a network data store. An agent pro- 
vided on the client computer system and monitored by the 
secure network file access appliance ensures authentication 
of the client computer system with respect to file system 
requests issued to the network data store. The secure net- 
work file access appliance is provided in the network 
infrastructure between the client computer system and net- 
work data store to apply qualifying access policies and 
selectively pass through to file system requests. The secure 
network file access appliance maintains an encryption key 
store and associates encryption keys with corresponding 
filesystem files to encrypt and decrypt file data as transferred 
to and read from the network data store through the secure 
network file access appliance. 
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SECURE NETWORK FILE ACCESS 
CONTROL SYSTEM 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention is generally related to network 
infrastructure devices supporting network access to 
remotely stored data and, in particular, a secure network 
system utilizing an infrastructure appliance to provide 
authentication, access, compression and encryption controls 
over remote file data stores. 

2. Description of the Related Art 

The use and concomitant evolution of network informa- 
tion systems continues to grow at a substantial pace. Orga- 
nizations of all sizes, though particularly in larger, typically 
corporate environments, are producing and redeploying 
information at increasing rates as part of the fundamental 
business processes implemented by those organizations. In a 
typical scenario, such as encountered in many parts of the 
financial, scientific, and manufacturing industries, various 
files detailing transactions are routinely created and centrally 
stored for individual and aggregate processing. This same 
information is then routinely redeployed for interactive use 
by captive customer service representatives, select compo- 
nent and service suppliers, and often for limited end user 
access through typically Web-based network interfaces. File 
stores that measure in the range of tens to hundreds of 
terabytes are commonplace. 

As an initial matter, the growth in the volume and need for 
wide accessibility of information is reflected in increasing 
interest in network attached storage (NAS) and storage area 
networks (SANs). These technologies support a network- 
based storage architecture that enables a fundamental inde- 
pendence between the various client, application and net- 
work server systems used to access and process stored data 
and the expansion, configuration, and management of large 
data storage systems. Other fundamental capabilities pro- 
vided by network-based storage architectures include the 
ability to geographically distribute and, further, replicate the 
data stores, which permit remote data backup and hot 
fail-over of typically business and real-time transaction 
processing storage systems. 

While the many enabling capabilities of network-based 
storage architectures are of substantial value, issues of 
authentication, access control, and security over the stored 
data remain. Indeed, the ubiquitous data accessibility inher- 
ently afforded by network-based storage architectures is 
commonly viewed as greatly exacerbating the problems of 
assuring authentication, access, and security control. The 
network transport costs associated with delivering and 
accessing remotely stored data is also recognized as a 
significant problem. 

Conventional direct attached storage (DAS) architectures, 
involving application and network servers with dedicated, 
locally attached storage arrays, have evolved various forms 
of authentication, access and security controls to protect 
stored data. These controls run from basic operating system 
password authentication and access permission attributes to 
smart cords and physical access barriers. The successive 
layering of these controls can be used to progressively 
harden the underlying direct- attached storage. 

While some of the conventional protection controls 
remain generally applicable to network-based storage 
architectures, many are, as a practical matter, ineffective. In 
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network-based storage architectures, the storage accessing 
application servers are typically remotely distributed, which 
generally precludes any assurance that authorization, access, 
and security controls are not intentionally or inadvertently 

5 circumvented. Even fewer assurances exist for the remotely 
distributed client computer systems permitted access to the 
network shared with the network storage. 

The vulnerabilities of conventional network-based stor- 
age architectures are appreciated and, as a result, have 

10 significantly limited the rapid adoption of NAS and SAN 
technologies. Other technologies, such as virtual private 
networking (VPN), are useful in overcoming certain of the 
limitations of network-based storage architectures. VPNs 
support a robust encryption of data in transport between the 

15 endpoint systems within a VPN session. Thus, conventional 
VPNs can be used to provide point-to-point security over 
data transported between various client computer systems, 
application servers, and the network storage systems. 
VPN and similar technologies, however, fail to support 

20 any meaningful access controls or assure the continuing 
security of data once delivered to a VPN endpoint system. 
The underlying protocols were simply not designed to 
provide or enforce storage-type access controls. VPN data, 
while encrypted and secure during transport, is delivered to 

25 a VPN host endpoint subject only to the access controls 
implemented by the host. The data is also delivered unen- 
crypted and thus again subject only to the security controls 
provided by the host. 

30 Other technologies can be potentially employed to layer 
general access and security controls onto the secure trans- 
port capabilities of VPN and similar technologies. Various 
standard protocols, such as the Kerberos protocol 
(web.mit.edu/kerberos/www/) and the Lightweight Direc- 

35 tory Access Protocol (LDAP; www.openldap.org) can be 
utilized to differing degrees to provide secure authentication, 
directory services, and access controls. Encrypting file sys- 
tems can be utilized to secure file data as stored. Together, 
these technologies can provide for a well-hardened storage 

4Q of data within a network-based storage architecture. Con- 
sidering the requisite separate administration of these tech- 
nology layers over disparate client computer systems and 
application servers, however, makes assuring that data is 
properly subject to rigorously enforced authentication, 

45 access and security controls practically impossible. 

Consequently, there remains a fundamental, unsolved 
tension between ensuring only properly secure access to 
network-based stored data and enabling appropriate wide- 
spread access to the data in fulfillment of business process 

50 requirements. 

SUMMARY OF THE INVENTION 

Thus, a general purpose of the present invention is to 
provide an efficient network-based storage architecture uti- 

55 lizing a wire-speed infrastructure appliance as a managed 
portal between client computer systems and network storage 
for the coordinated control over authentication, access, 
encryption and compression of data transferred to network 
connected data storage. 

60 This is achieved in the present invention by providing a 
secure network file access appliance in a network infrastruc- 
ture to support the secure access and transfer of data between 
the file system of a client computer system and a network 
data store. An agent provided on the client computer system 

65 and monitored by the secure network file access appliance 
ensures authentication of the client computer system with 
respect to file system requests issued to the network data 
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store. The secure network file access appliance is provided 
in the network infrastructure between the client computer 
system and network data store to apply qualifying access 
policies and selectively pass through to file system requests. 
The secure network file access appb'ance maintains an $ 
encryption key store and associates encryption keys with 
corresponding filesystem files to encrypt and decrypt file 
data as transferred to and read from the network data store 
through the secure network file access appliance. 

An advantage of the present invention is that the secure 10 
network file access appliance extends comprehensive 
authorization, access and security services from the user 
level down to the physical file storage level. Authorization 
protocol compliance on client systems is actively enforced 
as a prerequisite for file accesses subject to the security 15 
services provided by the secure network file access appli- 
ance. Authorized file access requests, originating from an 
authorized application executed within an authorized ses- 
sion and process, are signed by the agent upon transmission 
to the secure network file access appliance. Multiple access 20 
policies are established to differentially qualify received file 
access requests, including verifying the agent signature to 
establish request authenticity and evaluating user and group 
permissions to establish file access rights. Access policies 
further define encryption and compression services that are 25 
applied to file data transmitted between the secure network 
file access appliance and network storage. Encryption of the 
network file data, including the transparent storage of the 
encrypted file data by the network storage system, ensures 
the integrity of network file data while within the manage- 30 
ment scope of the secure network file access appliance. 
Authentication, access policy, and encryption and compres- 
sion service exceptions are recognized as intrusion and 
tampering events that can be, subject to the applicable access 
policies, logged, issued as administrative alerts, and used as 35 
a basis for autonomous protection activities, such as block- 
ing all file access requests from a client network address. 

Another advantage of the present invention is that the 
secure network file access appliance maintains a secure store 
of the security encryption keys and operates autonomously 40 
to associate the applicable encryption key with encrypted 
file data as retrieved from a network file store. Meta-data, 
stored and retrieved automatically in association with the 
encrypted file data, provides a persistent encryption key 
identifier that is used to identify a correct encryption key for 45 
the file data. 

A further advantage of the present invention is that the 
authorization, access and security services performed by the 
secure network file access appliance are performed at wire- 
speed, enabling the full function of the secure network file 50 
access appliance to be transparent to the normal operation of 
both client systems and network storage systems. Data files, 
as encrypted by the secure network file access appliance, are 
presented as conventional data files to the network storage 
system. The encryption of network data files is therefore 55 
transparent to network storage systems, permitting the net- 
work data files to be conventionally manipulated using 
existing management tools, including backup and restore 
utilities, yet without permitting compromise of the security 
of the data file content. 60 

Still another advantage of the present invention is that the 
secure network file access appliance can implement data 
compression in combination with encryption to minimize 
the bandwidth requirements of secure file transfers as well as 
the size of the secured file data as stored. The connection 65 
throughput necessary to maintain a hot-backup and the 
storage space necessary for progressive archival file backups 
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are reduced. File data compression is accomplished with 
minimal degradation in the wire-speed operation of the 
secure network file access appliance. 

Yet another advantage of the present invention is that the 
secure network file access appliance is implemented as an 
infrastructure component, permitting easy integration in 
existing as well as new network systems. The secure net- 
work file access appliance particularly supports remote 
access to geographically distributed network storage sys- 
tems. An additional layer of access security control is 
provided through the integral implementation of firewall 
filtering of the network connections, thereby supporting 
centrally managed and configurable protections against 
external access attacks as well as improper internal access 
attacks. 

BRIEF DESCRIPTION OF THE DRAWINGS 

These and other advantages and features of the present 
invention will become better understood upon consideration 
of the following detailed description of the invention when 
considered in connection with the accompanying drawings, 
in which like reference numerals designate like parts 
throughout the figures thereof, and wherein: 

FIG. 1 is a top level diagram illustrating the operating 
environment of a preferred embodiment of the present 
invention; 

FIG. 2 is an architectural block diagram of a preferred, 
fixed scale appliance embodiment of the present invention; 

FIG. 3 is an architectural block diagram of an alternate, 
highly-scalable appliance embodiment of the present inven- 
tion; 

FIG. 4 is a process flow diagram illustrating the deep 
packet analysis processing provided in accordance with the 
present invention to support authentication and access quali- 
fication of client file oriented network requests directed to 
network storage resources; 

FIG. 5 provides a process interaction diagram showing 
the interoperation of client processes with an authentication 
agent executed by a client computer system; 

FIG. 6 provides a process interaction diagram illustrating 
the preferred exposure of network storage resources pro- 
vided in a preferred embodiment of the present invention to 
provide multiple qualified views of the underlying file data; 

FIG. 7 is a software block diagram illustrating the pre- 
ferred components implementing network packet protocol 
processing in accordance with a preferred embodiment of 
the present invention; 

FIGS. 8a-d illustrates the preferred decomposition of file 
data through the network packet protocol processing imple- 
mented in accordance with a preferred embodiment of the 
present invention; 

FIG. 9 is a software block diagram illustrating an 
extended network packet protocol processing including fire- 
wall processing in accordance with a preferred embodiment 
of the present invention; 

FIGS. 10a-b illustrate the process flow of a file system 
read request and response performed in accordance with a 
preferred embodiment of the present invention; 

FIGS. IIa-b illustrate the process flow of a file system file 
create request performed in accordance with a preferred 
embodiment of the present invention; and 

FIGS. 12a-b illustrate the process flow of a file system 
write request and response performed in accordance with a 
preferred embodiment of the present invention. 
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DETAILED DESCRIPTION OF THE 
INVENTION 

Secure network file access appliances, implemented in 
accordance with the present invention, can be effectively 
utilized in a wide variety of network infrastructure configu- 
rations. An exemplary infrastructure environment 10 is 
shown in FIG. 1. A secure network file access appliance 12 
is preferably implemented in the environment 10 within an 
intronet infrastructure 14 to operate as a communications 
channel between protected network storage resources 16, 
such as a SAN 18 and network attached storage devices 20, 
and client computer systems 22, 24. The secure network file 
access appliance 12 selectively encrypts, as determined by 
access policies implemented within the secure network file 
access appliance 12, file data stored to the network storage 
resources 16. In accordance with the present invention, the 
file data encryption maintains the logical file-oriented struc- 
ture of the data and is thus transparent to the network storage 
resources 16. Furthermore, the secure network file access 
appliance 12 preferably supports operation as an IP firewall, 
permitting the secure network file access appliance 12 to 
function as an exclusive infrastructure path through the 
intranet infrastructure 14. 

Network and other servers 26 implemented as part of the 
infrastructure 14 between the secure network file access 
appliance 12 and network storage resources 16 or as part of 
a NAS resource 16, 26, are unaffected by the encryption 
function of the secure network file access appliance 12, yet 
are secured against unauthorized access of the encrypted 
content. Actively used file data encryption keys are prefer- 
ably held and managed within the secure network file access 
appliance 12 alone. Network accessible trusted agent 
systems, providing conventional secure key archive services 
to the secure network file access appliance 12, can be relied 
upon to provide long-term storage and support on-demand 
retrieval of keys. The encryption keys are not stored on or 
directly accessible in usable form from the network attached 
storage devices 20 or network servers 26. 

Preferably, the secure network file access appliance 12 
processes file data read and write requests in aggregate at 
wire -speed and with minimal latency in qualifying the 
access privileges of each read, write, and related file access 
request, to selectively encrypt and decrypt file data 
transferred, and further selectively compress and decom- 
press the transferred file data. The round- trip encryption of 
file data ensures that transfers to remote network storage 
resources 16 over unsecured networks including the Internet 
effectively remain secure. Round-trip compression substan- 
tially reduces the needed file data transfer bandwidth, par- 
ticularly where the transfers are for repeated mass archival 
backups. 

Implementation of comprehensive access policy controls 
at the secure network file access appliance 12, essentially 
independent though additive to those of the network storage 
resources 16 and file servers 26, enables centralized file data 
access management. The access permissions and other con- 
trols implemented by the network storage resources 16 and 
file servers 26 are difficult to globally maintain through 
additions and reconfigurations of the network attached stor- 
age devices 20 due to the typically remote and distributed 
nature of the network storage resources 16 and file servers 
26. The access policy controls provided by the secure 
network file access appliance 12 are significantly more 
comprehensive, flexible, and administratively uniform than 
conventional access permissions implemented by the vari- 
ous network storage resources 16. 
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Authentication controls are supported by the secure net- 
work file access appliance 12 as a complement to the access 
policy controls. For the preferred embodiments of the 
present invention, authentication agent code is installed and 

5 executed on clients 22, 24 to enable user and client 
authentication, including authentication over user sessions 
and processes. For the client 22, a user 28 may represent an 
individual or a remotely connected computer system utiliz- 
ing the client 22 as a network file, Web, or application server, 

1Q executing conventional user applications 30 supported by a 
conventional network capable operating system 32. 

A modified file system 34 provides for selective authen- 
tication processing of file system requests directed to the 
network storage resources 16, including through network 

1S servers 26. For the preferred embodiments of the present 
invention, the file system 34 is mounted through a file 
system switch facility supported by the operating system 32 
against the directory nodes representing network storage 
resources 16. Authentication logic provided in an agent 

20 P r °gram 36, executing largely if not exclusively in kernel 
space, is called in response to file system operations directed 
against the file system 34. Through the operating system 32, 
the agent program 36 has access to user, client, process, 
application, and session information. Where attended user 

25 authentication is required, the agent program 36 preferably 
interoperates through the operating system 32 to assert an 
authentication dialog for the user 30. User responsive infor- 
mation can then be authenticated using standard authenti- 
cation controls, such as LDAP and other network available 

30 authentication servers (not shown). Alternately, or in 
combination, the user authentication response information 
can be transmitted to the secure network file access appli- 
ance 12 for security qualification. 
Authentication of user applications 30 is performed 

35 autonomously through the agent program 36. Preferably in . 
response to a first file system operation by a user application 
30, as received by the file system 34, or on notice from the 
operating system 32 of the invocation of the user application 
30, the agent program 36 generates a secure hash identifi- 

40 cation of the loaded binary image of the user application 30. 
This hash identifier and the application file attributes are 
then transmitted to the secure network file" access appliance 
12 for verification. An authentication response is returned to 
the agent program 36 providing verification status. A veri- 

45 fication failure or other exception indicated by the secure 
network file access appliance 12 preferably results in a 
disallowance of the requested file system operation. 

Unattended execution of applications by a client 22, such 
as on booting of the client 22, can be supported through the 

50 application authentication mechanism. Preferably, an appli- 
cation launcher utility is scripted to execute on boot. 
Through application authentication of the utility, the absence 
of attended user authentication derived information is not 
treated as an exception by the secure network file access 

ss appliance 12. The application launcher utility is then enabled 
to launch a designated application 30. 

The state of user and application authentication, in com- 
bination with user session and associated process identifiers, 
is preferably maintained by the agent program 36. In the 

60 preferred embodiments of the present invention, this authen- 
tication information and the digital signature of the agent 
program 36 are combined and sent encrypted to the secure 
network file access appliance 12 with each file system 
request passed by the modified file system 34. A network 

65 layer 38, including an NFS/CIFS network file system layer, 
modified to include the user and agent authentication infor- 
mation with file system requests, is used to communicate 
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with the secure network file access appliance 12. In the 
preferred embodiment, an NFS packet header field is 
extended, preferably by redefinition of an existing field, to 
store and transfer the user and agent authentication infor- 
mation. Additionally, periodic or heartbeat status remote 5 
procedure call (RPC) packets are sent by the agent program 
36 to the secure network file access appliance 12 reflecting 
the current state of the user and agent authentication infor- 
mation. Client changes relevant to authentication, including 
specifically terminations of processes and user sessions, are 
thereby rapidly noticed to the secure network file access 
appliance 12. 

The transport of file data between the secure network file 
access appliance 12 is generally secure where a client, such 
as client 22, is part of the local infrastructure 14. Where the 15 
transport extends to remote clients, such as client 24, over an 
unsecure network, such as the Internet 40, conventional 
transport security protocols con be transparently employed. 
As shown, a virtual private network 42, con be utilized 
without interference with the authentication of users 30 in 20 
accordance with the present invention. Alternatively, or in 
addition, a secure network file access appliance 12' can be 
deployed locally with respect to the remote client 24, 
thereby securing the transport of file data effectively 
between the remote client 24 and network storage resources 7 <- 
16. 

A preferred, fixed scale, hardware platform 50 for the 
present invention is shown in FIG. 2. The platform 50 is 
preferably implemented on a motherboard supporting the 
Intel® E7500 chipset 52, dual 2.2 GHz Intel® Xeon™ 30 
processors 54 (Intel Corporation, Santa Clara, Calif.; 
www.intel.com), and a 1-Gbyte 200-MHz Double Data Rate 
(DDR) main memory array 56. The chipset 52 supports six 
PCI-X buses 58, individually capable of over 8-Gbps 
throughput and an aggregate throughput of at least 24-Gbps. 35 
A basic configuration of two 1-Gbps network interface 
controllers, supporting ingress and egress network 
connections, and one 10 /ioo Mbps network interface 
controller, supporting a management network connection, 
are connected to the PCI-X bus 58. A base configuration of 4Q 
three HiFn™ 7851 security processors 62 (Hifn, Inc., Los 
Gatos, Calif.; www.hifn.com) provides hardware acceler- 
ated encryption and compression support for the generic 
data processing and control function of the processors 54. 
The security processors support symmetric programmable 45 
length block encryption algorithms, including 3-DES, at 
throughputs in excess of 400-Mbps per chip and program- 
mable length block compression algorithms, including LZS, 
at throughputs in excess of 80 MBps. 

Other peripherals 70, including a BIOS program and boot so 
hard disk drive, are supported though the chipset 52 to 
enable basic operation of the platform 50. Preferably, the 
platform 50 boots and runs a Linux™ based operating 
system, based on a commercial distribution of Red Hat™ 
Linux (Red Hat, Inc., Raleigh, N.C.; www.redhat.com). The 55 
software-based authentication and access functions of the 
secure network file access appliance 12 preferably load and 
execute in the Linux kernel space. Administrative and sup- 
port utilities are preferably implemented as user-mode appli- 
cations and daemons, 60 

An alternate, high-throughput, scalable hardware plat- 
form 80 for the secure network file access appliance 12 is 
shown in FIG. 3, This scalable architecture is generally 
consistent with the architecture disclosed in Network Media 
Encryption Architecture and Methods for Secure Storage, 65 
Serial Number 10/016,897, filed Dec. 3, 2001 by Pham et al., 
which is hereby incorporated by reference. In brief, multiple 



,828 Bl 

8 

blade-based access processors 82 1 _^ each preferably imple- 
ments a central processor executing an instance of an 
embedded Linux operating system. One or more encryption 
and compression security processors are provided on each 
blade as hardware acceleration engines. In place of the direct 
network interface connections 62, packet connections 
through a high-speed switch fabric 84 provide data paths to 
an ingress processor 86 and an egress processor 88 that serve 
as packet routers to 10 Gbps or higher throughput network 
infrastructure connections 90, 92. 

A control processor blade 94 manages and monitors the 
other blades 82j_ N , 88, 90. The control processor blade 94 
supports the booting of the embedded operating system 
instances on the blades 82j_^. 88, 90 and coordinates the 
sharing of common encryption and compression configura- 
tion and control information between the access processor 
blades 82!.^. A separate management network interface 
controller 96 is provided to enable independent access to the 
control processor 94 from the management network 98. 

The logical control and protocol processing functions 
implemented in the control programs executed on a platform 
50 for a preferred embodiment of the present invention are 
shown in FIG. 4. Inbound file requests are received as 
network data packets containing the various network file 
system messages implemented by a network distributed file 
system, such as the network file system (NFS) and common 
internet file system (CIFS). These network data packets are 
processed to expose the control information 114 contained in 
the protocol layers of each received data packet and the 
packet payload data 116 for examination and processing. 

Additionally, application and status information is gath- 
ered by an agent monitoring process 118 listening on a 
dedicated network port from network connected clients 22, 
24. Client status information, obtained from heartbeat net- 
work packets, is relayed to an authentication and access 
control process 120. Continuity of a client heartbeat is used 
to maintain a client authorization session. User authentica- 
tion session information, minimally reflecting that a user 
authentication sequence mediated by the agent program 36 
has completed successfully, can also be provided to the 
authentication and access control process 120 within the 
heartbeat data packets. Transmission of user authentication 
session information at checkpoint intervals serves to protect 
against conversion of any client process for the execution of 
unauthorized applications. Where the authentication and 
access control process 120 operates directly as an authenti- 
cation server, user and client identifiers and user password 
acquired by the agent program 36 are relayed through the 
agent monitor process 118. Authorization responses are 
generated and returned by the authentication and access 
control process 120 based on the user and client authenti- 
cation policy information maintained by the authentication 
and access control process 120. 

In reference to FIG. 5, authentication enforcement is 
enabled by requiring a call to the agent program 36 in 
connection with the initialization of a new user process 132. 
User authentication is performed directly by a user mode 
component of the agent program 36 through a conventional 
authentication service, such as LDAP, against a user login 
and password. Alternately, user authentication can be direct 
through a pluggable authentication module generally con- 
sistent with DCE/OSF-RFC 86.0 (Unified Login with Plug- 
gable Authentication Modules (PAM); www.opengroup.org/ 
tech/rfc/rfc8 6.0. html). In either case, the agent program 36, 
on authentication of the user, establishes an authenticated 
user session defined by the login process identifier (LPID), 
a user identifier (UID), and a group identifier (GID), as 
established by and obtained from the operating system 32. 
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The authentication modified filesystem 34 receives file 
requests 134 issued by a user process 132. A kernel mode 
portion of the agent program 36, operating in conjunction 
with the authentication modified filesystem 34, determines 
the source process identifier for each file request 134 by 5 
accessing operating system 32 structures. The authenticated 
user session information maintained by the agent program 
36, located by the determined process identifier, is then 
provided to the modified network layer 38 for inclusion in 
the network file system requests 134 as processed through 1Q 
the network layer 38. 

Client processes 136 spawned from an authenticated 
process 132 remain part of the parent authenticated user 
session. The chain of parent process identifiers is traced by 
the agent program 36 to associate file requests 138 from 15 
child processes 136 with corresponding authenticated user 
sessions. Preferably, to support access management at the 
level of individual processes, both the authenticated user 
login parent process identifier (LPID) and the current pro- 
cess identifier (PID) are provided to the modified network 20 
layer for inclusion in the session and process corresponding 
file requests forwarded to the secure network file access 
appliance 12. 

In a preferred embodiment of the present invention, the 
authenticated user session information, including a session 25 
identifier generated by the agent program 36, is encrypted 
using a session key obtained through a secure key exchange 
with the agent monitoring process 118. The resulting 
extended NFS requests thus securely transport the session 
control information, including at least a session identifier, 30 
request source IP, user identifier, group identifier, and pro- 
cess identifiers to the secure network file access appliance 
12, 

Preferably, the agent program 36 supports authentication 
of user applications 30 as loaded for execution in the 35 
authenticated user session processes 132, 136. Digitally 
signed applications loaded for execution can be verified 
conventionally by the agent program 36 against digital 
certificates obtained from a trusted PKI, LDAP or other 
authentication server. Application authentication 40 
information, such as the identity of the authentication server 
and certificate, can be potentially included by the modified 
network layer 38 with the session information provided with 
corresponding file requests to support auditing of indepen- 
dently verified applications. 45 

Autonomous application authentication by the agent pro- 
gram 36 is also supported through the secure network file 
access appliance 12. On the loading of an application for 
execution in a process 132, 136, the agent program 36 is 
called and executes, through the operating system 32, to 50 
locate 142 the application binary image and retrieve the 
application file attributes, including the application 
filename, path, permissions, and file size. A secure hash 
signature is generated for the application binary. In a pre- 
ferred embodiment of the present invention, a 20-byle hash 55 
signature is generated using the SHA-1 algorithm. An appli- 
cation authentication request, containing the hash signature, 
file attributes and a secure application token, is then passed 
to the secure network file access appliance 12 in an RPC 
directed to the agent monitoring process 118. The secure 60 
application token preferably includes a public key, of a 
public/private key pair stored by the secure network file 
access appliance 12 or trusted third -party authentication 
server, an application name, and a structure containing a 
secure hash signature of the application binary image and 65 
the application file attributes encrypted with the public key. 
The token is prior administratively generated through the 
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secure network file access appliance 12 or other trusted 
application authenticator against an administratively deter- 
mined authentic application. The tokens for authenticated 
applications are stored on or otherwise made accessible to 
the clients 22, 24. The application file name located for the 
loaded binary image is used to farther locate a correspond- 
ing token by the agent program 36. 

On presentation of an application authentication request, 
the secure network file access appliance 12 compares the 
public key provided within the token against known valid 
public keys prior administratively registered with the secure 
network file access appliance 12. The decrypted token hash 
signature and file attributes are verified against the hash 
signature and file attributes separately provided in the 
request by the agent program 36 and a return RPC commu- 
nicates the verification status to the agent program 36. 
Where the loaded application fails authentication, the cor- 
responding application process 132, 136 can be terminated. 
Alternately, subsequently received network file system 
requests 134, 138 from an unauthorized application can be 
ignored or refused by the modified file system 34. Thus, 
within an otherwise authenticated user session, the applica- 
tion authentication provisions of the present invention can 
enforce explicit and functional limitations on user process 
execution to a wett defined set of authenticated appli cations. 

Referring again to FIG, 4, packet control information 114 
and application information 122, exposed by packet pro- 
cessing 112 and as received from the agent monitoring 
process 118, is provided to the authentication and access 
control process 120 for each network file data packet 
received by the secure network file access appliance 12. 
Preferably, the authentication and access control process 120 
includes a policy store representing the administratively 
determined, functionally supported operations of the secure 
network file access appliance 12. The polices are preferably 
stored in a high-performance hash table permitting a policy 
lookup against the information 114, 122 as presented to the 
authentication and access control process 120. Audit logs of 
the file requests, as well as error logs and logs of refused 
operations are produced by the authentication and access 
control process 120. 

Policy sets applicable to a received network file packet 
can be progressively discriminated based on any of the data 
provided in the packet control information 114. In particular, 
IP layer data provides source and destination IPs, permitting 
specific access constrains to be defined against defined 
clients, individually or by subnets. The standard NFS/CIFS 
layer data provides the requesting user UID and GID, as well 
as the fully qualified file or directory reference, including 
generally a mount point, file system path, and applicable file 
name. The application information 122 layer identifies the 
user session and provides the execution and parent process 
identifiers. Where utilized, the application information 122 
layer also provides the application name and signature. 
Successful discrimination of the policy sets against the 
provided information 114, 122 enables and qualifies the 
processing of network file packets transported relative to the 
network storage resources 16. 

Preferably, the handling of the various possible types of 
policy set discrimination failures is defined by the policy 
sets. Discrimination failures will typically include user 
authorization failures and unauthorized application execu- 
tion attempts, unauthorized source IP addresses, and 
improper file references due to unavailability of the refer- 
enced file or lack of adequate user, group or file permissions. 
Depending on the nature of the failure, the discrimination 
failure handling defined by the policy sets will direct the 
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production of detailed audit and error log entries and imme- shown in FIG. 6, multiple virtualized mount points /dev/ 
diate issuance of administrative alarms, including poten- hd_a, /dev/hd_b, /dev/hd_c, and /dev/td_d may be defined 
tially the automated generation of email and voice messages. administratively in the configuration of the secure network 
The policy set discrimination failure handling preferably file access appliance 12. These virtual mount points are 
further defines the type and content of any NFS/CIFS 5 independently associated through a defined mapping with 
network file error data packets generated by of the NFS/ the same, as by alias, or separate real mount points supported 
CIFS slate machine 124 and returned to a client 22, 24. by various network storage resources 156, 158. Client 152, 
In accordance with the present invention, the progressive 154 file requests to mount any of the virtual mount point 
discrimination of the policy sets also determines the active represented network file systems can be qualified and con- 
application of encryption and compression to the packet 10 strained by policy sets that, at a minimum, serve to validate 
payload data 116. For inbound network file data packets the existence of. the virtual mount point and, optionally, 
from clients 22, 24, any combination of data provided in the further discriminate for a permitted mount request source IP. 
control information 114, 122 can be utilized as a signature In accordance with the present invention, the virtual 
identifying whether the packet payload data is to be mount points further expand the ability to discriminate 
encrypted against a particular encryption key and com- 15 applicable access policy sets for the client 152, 154 NFS/ 
pressed using a particular compression algorithm. A pre- CIFS network file transactions. Control information 114 
ferred basic policy set essentially defines the combinations provided with each network file packet directed to the secure 
of source IPs, user identifiers, and group identifiers permit- network file access appliance 12 identifies a target mount 
ted access through the mount point and, further, a default point. In accordance with the preferred embodiments of the 
encryption key to be used, particularly for file creation. 20 present invention, the authentication and access control 
Multiple policy sets can be applicable to the same mount process 120 logically selects an applicable policy set based 
point, differing in the specification of source IPs, user on the identified virtual mount point. The further constraints 
identifiers, and group identifiers or by specification of addi- represented by the selected policy set are concurrently used 
tional control information, such as the path specification and to determine how the network file data packet is to be 
file-type extension for the network file identified in the 25 processed. For example, otherwise authorized clients 152, 
request. The policy sets are administratively managed to 154 accessing the network resource 156 through the /dev/ 
ensure that unique combinations of the provided control hd__a virtual mount point may be constrained to read-only 
information resolve to distinct policy sets. Where path NFS/CIFS transactions. The separate policy set associated 
specification information is utilized to establish the scope of with the /dev/hd_b virtual mount point may support read- 
other wise matching policy sets, a best match of the path 30 write access by only a well defined set of UIDs, further 
specification, file name, and file extension is preferably used constrained to NFS/CIFS requests originating from a defined 
to discriminate the default applicability of data encryption subnetwork. 

and compression. ^ anomer example, read-write access of the network 
Network file packets returned from network storage storage resources 156 by the client 154, administratively 
resources 16 are similarly processed 112 to expose the 35 limited to providing backup services, may be broadly sup- 
packet control information 114 and permit a combination of ported through the virtual mount point /dev/hd_c. The 
data to be considered in determining whether accompanying policy set associated with the mount point /dev/hd_c pref- 
packet payload data requires decompression and decryption. erably enables read-write access to the network storage 
While, in accordance with the present invention, encrypted resources 156 while disallowing decryption of previously 
network data packets returned from the network storage 40 encrypted files. The policy set for the virtual mount point 
resources 16 can be presumed secure, examination of the /dev/td_d preferably provides for the encryption and corn- 
control information 114 through authentication and access pression of previously unencrypted files upon writing to the 
processing 120 enables an appropriate authentication of the archival network storage resources 158 and for decryption 
source and sequence of the returned network file packets. and decompression on reading. Consequently, a user with 
Preferably, packet payload data presented to the secure 45 limited backup access rights can fully administer the backup 
network file access appliance 12 and determined to be and restore of files without breach of the secure storage of 
encrypted or compressed is processed into a sequence of previously encrypted files. Thus, distinguishing policy sets 
logical access blocks (LABs) through an encryption and based on virtualized mount points provides an extensive 
compression process 126. As part of the encryption and degree of flexibility in managing the access rights of a 
compression process 126, each logical access block is, in 50 community of clients 152, 154. 

accordance with one preferred embodiment of the present Network file packets permitted or refused by operation of 

invention, marked with at least an indirect identifier of the the authentication and access control process 120 are sig- 

applicable encryption key and compression algorithm. Thus, naled to an NFS/CIFS state machine 124, as shown in FIG. 

while the decompression and decryption status of outbound 4. The sequences of network file packets representing select 

network data packets may be suggested by a source direc- 55 file data transactions, including specifically NFS/CIFS 

tory specification, the applicable encryption key and com- transactions, are tracked by the NFS/CIFS state machine 

pression algorithm is determined based on the encryption 124, in accordance with the present invention, to support the 

and compression identifiers associated with the logical selective encryption and compression of NFS/CIFS network 

access blocks. Decryption and decompression of the logical packet transferred file data and manage the attendant 

access blocks are, therefore, not essentially dependent on the 60 changes in the size and structure of network files as stored 

directory specification or other independently alterable by the network storage resources 16. Mount and unmount 

aspects of the network file. request RPCs are essentially atomic operations between the 

Discrimination of applicable policy sets is, in accordance clients 152, 154 and the secure network file access appliance 

with the preferred embodiments of the present invention, 12. On receipt of a mount request, access is optionally 

expanded through the support by the secure network file 65 determined by the authentication and access control process 

access appliance 12 of multiple, inbound virtual mount 120 based on the applicable policy set and a determination 

points for the various network storage resources 16. As that the underlying network storage resource 16 identified 
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with the corresponding real mount point is available. An 
RPC response acknowledging the success or failure of the 
mount or unmount request is then returned. 

The NFS/QFS state machine 124 tracks the state of each 
NFS/CIFS transaction processed through the secure network 5 
rile access appliance 12. The principle NFS/CIFS transac- 
tions tracked include Read, Write, and Create. All other 
NFS/CIFS defined transactions (generically Requests) are 
also tracked by the NFS/CIFS state machine 124. The Read 
transaction, following from an inbound read request for file 10 
data defined by an offset and range, involves building a 
corresponding read request with the read offset adjusted 
back to an encryption and compression block boundary and 
the range adjusted to allow for the encryption and compres- 
sion of the file data through to the end of a block boundary. 15 
The next states include issuing the read request to the 
network storage resources 16 , receiving a responsive series 
of network read file data packets, and processing, as needed, 
to decrypt and decompress the received packet payload data. 
The final read transaction states include extracting the read 20 
file data for the originally requested offset and range and 
building and returning one or more network file data packets 
with the read file data. 

An NFS/QFS Write transaction requires a read/modify/ 
write operation where existing stored file data is encrypted 25 
or compressed. A write transaction includes receiving a 
write request, building a lock request with a write lock offset 
adjusted back to an encryption and compression block 
boundary and the range adjusted to allow for the encryption 
and compression of the file data through to the end of a block 30 
boundary. The next transaction states include issuing a read 
request for any initial and final partial file data page includ- 
ing the adjusted write offset and range terminus, decrypting, 
decompressing and modifying the read data page to include 
the corresponding parts of the file write data as received 35 
from the client, encrypting and, as appropriate, compressing 
the file write data, and building and issuing corresponding 
write requests to the network storage resources 156. The 
final write states include building and sending an unlock 
request to the network storage resources 156 and building 40 
and sending a write request reply to the client. 

NFS/QFS Requests, such as get and set attributes, get 
access permissions, and make directory, are generally 
atomic transactions managed by the secure network file 45 
access appliance 12 to support infrastructure compatibility 
with the network storage resources 156. Request transac- 
tions involve receiving a client request and building and 
sending a corresponding request to the network storage 
resources 156. Upon receipt of a request response from the 5Q 
network storage resources 156, adjustments are made for the 
reported file size and other attributes of the network file as 
stored on the network storage resources 156 depending on 
the particular request involved in the transaction. A corre- 
sponding request response is then constructed and sent to the ss 
client. 

An NFS/CIFS Create transaction involves receiving a file 
create request, constructing a file management header for the 
new file, and building and sending a corresponding request 
to the network storage resources 156. Upon receipt of a 60 
request response from the network storage resources 156, a 
corresponding request response is again constructed and sent 
to the client. 

FIG. 7 provides a block diagram and flow representation 
of the software, architecture 170 utilized in a preferred 65 
embodiment of the present invention. Inbound network 
communications are processed through a first network inter- 
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face 172. Network file data packets received from clients 22, 
24 are processed 174 to expose and deliver the network 
control information 114 for authentication processing 176. 
Application control information 122 collected from corre- 
sponding agent applications 28 are provided through an 
agent interface 178 in support of the authentication process- 
ing 176. 

Based on interactions with a policy parser 180, selected 
elements of the network and application control information 
114, 122 are compared with authentication parameters main- 
tained in a policy data store 182. The policy parser 180 
preferably implements decision tree logic to determine the 
level of authentication required for processing the network 
file request represented by the network file data packet 
received and whether that level of authentication has been 
met. 

The network and application control information 114, 122 
is also processed 184 to determine whether the authorized 
user is permitted access to the corresponding network stor- 
age resources 16. The policy processor 180 and policy data 
store 182 operate to determine whether the access attributes 
provided with the network file request are appropriate to 
enable access to the specific network storage resources 16 
identified by the network file request. 

While logically separate operations, the authentication 
and access processing 176, 184 are preferably performed 
concurrently. In a preferred embodiment of the present 
invention, a basic decision tree logic sequence considers the 
logical combination of network file operation requested, 
virtual mount point, target directory and file specification, 
client IP, user UID and GID, and the client session and 
process identifiers. Also considered is application authenti- 
cation data provided with the network file request and as 
prior provided by the agent program 36 and the continuity 
state of the client session as periodically reported by the 
agent interface 178. Additional state data accumulated in 
relation to the nature, timing, and frequency of network file 
access requests is considered. This state data is accumulated 
by the secure network file access appliance 12 to support 
static time scheduling and quota controls over network file 
access requests as well as dynamic traffic shaping of the 
network file access operations processed through the secure 
network file access appliance 12. The accumulated state data 
also permits dynamic detection of patterns in file access 
requests that threshold qualify as intrusion attempts or other 
circumstances warranting issuance of an administrative 
alarm. The decision tree evaluation considers prior 
sequences of file access requests and thereby qualifies the 
permitted support of a current network file access request. 

Policy data is administratively established to define the set 
of virtual mount points and the mapping of virtual mount 
points to real mount points. The policy data can also 
variously define permitted client source IP ranges, whether 
application authentication is to be enforced as a prerequisite 
for client execution or operative response by the secure 
network file access appliance 12, a limited, permitted set of 
authenticated digital signatures of execution or response 
enabled applications, whether user session authentication 
extends to spawned processes or processes with a different 
UID or GID, and other data that can be used to match or 
otherwise discriminate, in operation of the policy parser 180, 
against the control information 114, 122. This administra- 
tively established policy data is logically accessed from the 
policy store 182 by the policy parser 180 in the evaluation 
of the network and application control information 114, 122. 
For the preferred embodiments of the present invention, the 
decision tree logic and policy data are stored in a hash table 
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permitting rapid evaluation of the network and application 
control information 114, 122. 

The network and application control information 114 7 
122, as well as the determined results of the authorization 
and access processing 176, 184 are control inputs to an 
NFS/CIFS state machine process 186. Non-file data 
messages, including various NFS/CIFS request and reply 
messages involved in the read, write, and create NFS/CIFS 
transaction sequences, are prepared and forwarded 188, 190 
directly from the state machine process 186 to the inbound 
network interface 172 and an outbound network interface 
192. Policy data needed to support the generation of network 
file request and reply data packets, such as virtual to real 
mount point mapping data, is accessed from the policy data 
store 182 as needed. 

Where ordinary network file data is included in a network 
file data packet inbound from a client 22, 24, the packet 
payload data 116 is processed 194 into a sequence of logical 
access blocks (LABs), provided the network file data packet 
is qualified through access processing 184 for encryption or 
compression. The packet payload data 116 of unqualified 
network file data packets are processed 194 unchanged into 
network data packets and provided to the network interface 
192 for transmission to the network storage resources 16. 

As represented in FIG. 8a, the packet payload data of 
network file data packets corresponds to read and written 
portions of a file 220 recognized by a file system 36. 
Individual packet payload data 222, generally as shown in 
FIG. 8b, is preferably processed 194 into a sequence of 
logical access blocks 224j_ A -, as shown in FIG. 8c with each 
logical access block containing a corresponding portion of 30 
the packet payload data 222. In an initial embodiment of the 
present invention, the file management header 226 is virtu - 
alized for all files associated with a real mount point and 
locally stored by the platform 50 effectively as part of the 
policy data held by the policy store 182, The applicable file 35 
management header is retrieved as part of the policy set 
applicable to the requested virtual mount point. The pre- 
ferred embodiments of the present invention provide for the 
creation of a file management header 226 in connection with 
each Create file NFS/CIFS transaction. In one embodiment, 40 
the file management header 226 is created and written to the 
network storage resources 16 effectively as the first file data 
block as part of the creation of the file 220 on the network 
storage resources 16. One or more logical access blocks 224 
can thereafter be appended to the file as created on the 45 
network storage resources 16 and, subsequently, read and 
written in random order. Alternately, to optimize the storage 
and retrieval of data with respect to the network storage 
resources 16, individual or subsets of logical access blocks 
224 and the file management header 226 can be written to 50 
separate I/O pages within the same or different file spaces 
and storage devices. In either case, in accordance with the 
present invention, qualified file data reads and writes 
directed to the network storage resources 16 are performed 
as discrete, logical access block- aligned transfers encom- 55 
passing the offset and range of a client network file data 
request. 

The file management header 226 and logical access 
blocks 224 are repackaged in network file data packets as 
otherwise ordinary blocks of file data for transport to the 
network storage resources 16. The encryption and/or com- 
pression of network file data by secure network file access 
appliance 12 is thus entirely transparent to the reading and 
writing of relative to the network storage resources 16 by 
operation of the present invention. 

A preferred structure of the file management header 226 
is shown in FIG. 8D and further detailed in Table I below. 



Preferably, the file management header 226 includes a 
unique file GUID 228, security parameter index (SPI) 230, 
and a security signature 232. The file GUID 228 is prefer- 
ably a SHA-1 -based secure hash of data related to the file, 
such as the client IP, user UID, and file creation time to 
provide a 160-bit unique random identifier for the file. The 
security parameter index 230 is preferably a composite of 
security information including an encryption key identifier 
(Key) 234, a security options array (Idx) 236, and file related 
information (Info) 238. 

The encryption key identifier 234 is preferably an 
encrypted representation of the encryption key name utilized 
to encrypt the file data contained in the logical access blocks 
of the file 220. Encryption key name/key value pairs are 
utilized by the secure network file access appliance 12 are 
administratively defined and stored in the policy data store 
182. When, as a product of access processing 184, an 
encryption key is associated with a new file, the correspond- 
ing encryption key name is securely digested, again prefer- 
ably using the SHA-1 algorithm, and stored in the key 
identifier field 234 of the file management header 226. 

The security parameter index 230 may optionally also 
include a linked list storing, in encrypted form, the encryp- 
tion key value for the file 220. Each entry in the linked list 
includes a public key, encrypted key value tuple. The public 
key corresponds to a trusted encryption key agent server and 
the encrypted key value is encrypted with the public key of 
the agent. On retrieval of the network file data by a different 
secure network file access appliance 12', the public key 
identified agent server can be used to recover the encrypted 
key value. Providing support for multiple independent agent 
servers ensures that the encrypted key value can always be 
recovered. 

TABLE I 

Management Header Structure 



Street MGT_ 
BLOCK{ 

U32 Filc_GUID[5]; 

U32 Mgt_ 

Hdr_Ver, 

U32 Size_ 

Mgt_Blk; 

U32 Options! ]; 



// 160-bit unique random GUID for File 
// 32-bit version identifier for this structure 

// Size of the management block structure 



// Option include 

// -IntegrityMode: to compare digital signatures 
// -OutOfBand: out-of-band meta-data used 
// -CypherName: encryption algorithm ID 
// -ComprName: compression algorithm ID 
// -UserEncryption: Key__GUID is a user key 
// -GroupEncryption: Key__GUID is a group key 
// -HaveKeys: has list of agent encrypted keys 
U32 Key_GUlD[5J // 160-bit GUID for Key, generated by 
// SHA-1 (KeyName) 
// 160-bit GUID identifying the file creator 



60 



U32 Creator^ 
GU[D[51; 
BYTE IniL_ 
Vector[8]; 

U32 Padding! 3; 
U32 CRC; 
BYTE Signature 
[128]; 



*Key Table 



// Initial seed value for LAB encryption; 
// encryption seeds are a function of 
// Init_Vector + LAB Offeet 

// To verify management header block integrity 
//.Signature, signed with PrivKey for 

// PublicKey Vsrify Pre-computed. 

// Signs only static part of the structure to 
// avoid overhead on each file under the same 
// volume/policy. CRC is signed as the last part 
// so that changing to any part of the whole 
// block is detected. 

// Linked list of Public Key, agent encrypted 
// LAB Symmetric Key tuples 



65 



The security options array 236 provides an indexed list of 
the security functions applied to the logical access blocks 
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224 associated with file management header 226. These 
options preferably include identifiers of the whether encryp- 
tion is used and the applicable encryption algorithm, 
whether compression is used and the applicable compression 
algorithm, whether the encryption key name lookup should 5 
be user or group based, whether an agent encrypted key list 
is present, and whether tamper detection through digital 
signature checking is to be enforced. The file related infor- 
mation 238 fields provide storage for various other 
information, such as a GUID corresponding to the file 10 
creator. 

Finally, the security signature 232 provides storage for a 
cyclic redundancy check (CRC) value and digital signature. 
The CRC value is preferably computed over the binary value 
of the preceding portions of the file management header 226 15 
to permit block integrity checking. The digital signature is 
computed for the preceding portions of the file management 
header 226 including the CRC field to enable detection of 
tampering with any portion of the file management header 
226, 20 

A preferred in-band structure of logical access blocks 224 
is also shown in FIG. 8d. The primary fields of a logical 
access block 224 include a LAB data field 240, a LAB 
signature field 242, and an optional LAB compression 
header 244. Hie LAB data field 240 contains an encrypted 25 
and/or compressed portion of the packet payload data 222. 
The size of the LAB data field 240 is nominally set as a 
multiple of a natural or convenient block size recognized by 
the file system 36 and further chosen for block encryption 
algorithm efficiency, 30 

In accordance with the present invention, segmentation of 
the packet payload data 222 into the logical access blocks 
224 enables reasonably sized blocks of file data to be 
encrypted and compressed as atomic units. Smaller seg- 35 
ments sizes are preferred for obtaining relatively efficient 
random read/write operations directed to the file 220 as 
stored by random access devices within the network storage 
resources 16. Larger segment' sizes are preferred for lower 
processing overhead, greater encryption and compression 4Q 
efficiency, and where the target device within the network 
strange resources 16 is a streaming access device, such as a 
conventional tape drive. Preferably, the packet payload data 
222 segment size has a block modulo of eight bytes with a 
minimum size of 512 bytes and a nominally preferred size 45 
of 1024 bytes for random access devices. For streaming 
access devices, larger block sizes on the order of 8096 bytes 
may be preferred. 

Where the last segment of the packet payload data 222 is 
less- than the nominally preferred segment size, a smaller 50 
block size is used. This smaller block size is chosen to be the 
largest modulo eight byte block size that is the same or 
smaller than the size of the last segment. All but at most 
seven bytes of the last segment are then block encrypted. 
Any remaining segment bytes are then XORed with a mask 55 
value generated by the encryption of an eight-byte length, 
zero-value string and then appended to the block encrypted 
portion of the last segment. 

The LAB compression header 242, preferably included 
only where the packet payload segment held by the logical 60 
access block 224 is compressed, includes fields specifying 
the offset and range of the file data contained within the LAB 
data field 240. Dependent on the underlying data values and 
the stream compression algorithm applied, the segment 
length or range of the packet payload data 222 stored in the 65 
LAB data field 240 is variable. The segment length is 
manipulated to obtain compressed data that closely 
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approaches the preferred LAB data field size. Padding is 
provided to reach a modulo eight-byte encryption block 
compatible size. At a minimum, the range value identifies 
the actual compressed data carried in a completed logical 
access block 224. 

The LAB signature 244 is preferably computed as a 
secure digest of the LAB data field 240 and, where present, 
the LAB compression header 242, In the preferred embodi- 
ments of the present invention, an SHA-1 algorithm is used 
to create the LAB signature 244. The security of each logical 
access block 244, when retrieved to the secure network file 
access appliance 12, can be assured against tampering by 
recomputing the secure digest of the LAB data field 240, 
including any LAB compression header 242, and comparing 
against the LAB signature 244. For a preferred variant of the 
present invention, network file data is stored as logical 
access blocks 224 containing only unencrypted, uncom- 
pressed LAB data 240 and LAB signatures 244. While the 
efficiency of random access over network file data is 
maintained, modifications potentially due to improper tam- 
pering with the contents of the network file are nonetheless 
detectable on an individual logical access block 224 level. 
The conventional necessity of reading the entire network file 
to compute a secure digest to detect tampering is not 
required. 

In an alternate embodiment of the present invention, an 
error correction trailer 246 is provided to store an ECC value 
computed over the LAB data field 240, any LAB compres- 
sion header 242 and the LAB signature 244. ECC values are 
computed on creation of the logical access blocks 244. Upon 
retrieval of logical access blocks 244, the ECC value is used 
to correct bit errors that may occur as a consequence of 
extended network infrastructure transport of the logical 
access blocks 244. In particular, bit errors may be introduced 
by network routers operating at the TCP layer and above. 
Such infrastructure induced bit errors are otherwise detected 
from the LAB signature 244, but are then indistinguishable 
from data tampering. Use of the error correction field 246 
serves to independently protect the integrity of the logical 
access blocks 244. 

The file management header 226 and the headers 244 and 
trailers 242, 246 of the logical access blocks 244 may be 
included in-band, or in -file, as generally represented in FIG. 
8d, as part of the file 220 as ultimately stored by the network 
storage resources 16. Different in-band layouts can also be 
used to optimize access to the logical access block data 240. 
The file management header 226, digital signatures 242, and 
compression headers 244 can be collected into one or more 
in-band super blocks. The size of these super blocks and the 
remaining logical access block data 240 can be sized to 
optimize I/O performance of the network storage resources 
16. 

Alternately, and potentially preferred, only the logical 
access block data 240 is stored by the network storage 
resources 16 in-band as the network file 220. The file 
meta-data, including the management header 226 and the 
headers 244 and trailers 242, 246, corresponding to a 
network file 220 are stored in a separate, meta-data or 
shadow file. Any parallel storage structure that maintains the 
relationship between the shadow file and the in-band net- 
work file 220 may be used. The shadow files can be created 
and stored on the network resources 16 within the same 
storage space as the network files 220, within a different 
storage space potentially physically remote from the net- 
work files 220, or on the platform 50 provided the parallel 
association of the shadow files with the network files 220 is 
maintained. For example, shadow files can be stored in the 
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same directory with the counterpart network files 220 and network packets through the IP filter layers 252, 254. 

identified by file names that are a defined permutation of the Preferably, the IP .filter layers 252, 254, and particularly the 

network file 220 file names. The shadow files can alternately inbound IP filter layer 252 7 is set to reject all connections 

be stored in a parallel directory structure diverging from a except those pertaining to network file access operations, 

defined root or relative root node of the network storage S including the NFS, CIFS, RPC, and mount protocols. These 

resources 16, In either case, the defined relationship between network file data packets passed by the IP filter layers 252, 

the shadow files and the corresponding network files 220 is 254 are directed for packet/LAB processing 258 as per- 

determined and known to the secure network file access formed by the software architecture 170. Unauthorized 

appliance 12, which can ensure the parallel reading and connection attempts and access requests lacking adequate 

writing of the shadow files with corresponding reading and 10 policy -based permissions are therefore preferentially 

writing of the network files 220. received, detected, and audited by the software architecture 

Referring again to FIG. 7, the packet to LAB processing 170. 

194 preferably utilizes, as required, the hardware accelera- The flexible analysis capabilities of the authentication and 

tors 62 to perform encryption 196 and compression 198 over access controls 176, 184 and policy parser 180, particularly 

the segments of packet payload data 222. The logical access 15 based on access to the full set of control information 114, 

blocks 224 a _^, together containing the packet payload data 122, allows a more refined identification of potential abuse 

222 of a network file data packet, are then collected into a patterns and a wider variety of remedial actions, including 

new network file data packet and passed to the network dynamically blocking specific source IPs, logging detailed 

interface 192 for transport to the networks storage resources information, and issuing real-time administrative alerts. The 

16. 20 security and reporting strength of the firewall filters 252, 254 

Network file data packets received through the network is appropriate for handling connection attempts unrelated to 

interface 192 are similarly processed 200 to expose and me primary functions of the secure network file access 

deliver the network control information 114 for authentica- appliance 12. The firewall filters 252, 254 may also be 

tion and access processing 176, 184 and logical access utilized to proxy selected network data packets, including 

blocks 224j_^ contained in the packet payload data to a 25 potentially network file data packets, through the secure 

logical access block to packet data process 202. The provi- network file access appliance 12, utilizing a bypass route 

sion for authentication and access processing 176, 184 260. In the case of VPN 42 and network file access appliance 

permits even distributed, potentially client-based network l 2 ' designated source IP addresses and protocols can be 

storage devices to be equally secured and made accessible as identified and appropriately bypassed 260. 

other network storage resources 16. In the preferred embodi- 30 For the fixed scale, hardware platform 50, the firewall 

ments of the present invention, minimal authentication and filters 252, 254 are preferably implemented through the 

access processing 176, 184 is performed for network file kernel execution of the operating system iptables module by 

data packets received from dedicated network storage the main processors 54. On the scalable hardware platform 

resources 16. 80, the firewall filter layers 252, 254 are preferably imple- 

The logical access blocks 224^ received in the packet 35 mented on the ingress and egress processors 86, 88, with the 
payload data are processed 202 to apply error correction, bypass routed network packets being passed directly 
where the error correction field 246 is present, and validate between the ingress and egress processors 86, 88. The filter 
the integrity of the LAB data fields 240, including the LAB niles maintained in the filter rules store 256 are administered 
compression headers 244 if present, against the digital CQ through the administration interface 208. 
signature 242 values. The file management header 226 is An NFS/CIFS read transaction 270, structured in accor- 
read, typically in advance, by the NFS/CIFS state machine dance with a preferred embodiment of the present invention, 
process 186 to obtain the encryption key identifier from the is shown graphically in FIG. 10a. A read target file, con- 
field 234 and compression algorithm identity, if applicable sisting of a file management header 226 and a sequence of 
from the options index field 236. The LAB data fields 240 45 logical access blocks 224 1-JV , exists on the network storage 
are then decompressed 204, if applicable, and decrypted resources 16. In general, an inbound read request identifies 
206. The NFS/CIFS state machine process 186, based on the an offset and range of data to read 272. Outbound read 
pending inbound file data read request transaction, identifies requests are issued to read 274, 276 the file management 
an offset and range-selected portion of the combined logical header 226 and an encompassing, block-aligned sequence of 
access block 224^^ data representing client read requested 5Q logical access blocks 224^.^ The read request 276 retrieves 
data. The selected data is then incorporated into a network the requested logical access blocks 224 A . X in a series of one 
file data packet and provided to the network interface 172 for or more network file data packets, which are then processed 
transport to the transaction identified client 22, 24. to complete the inbound read request by returning one or 

For the preferred embodiments of the present invention, more network file data packets containing the read request 

an administration interface 208 provides access to and 55 data 272. 

configuration of the policy parser 180 and policy data store The specific processing 280 associated with an NFS/CIFS 
182, A network communications interface 210 provides read transaction 270 is shown in FIG. 10b. The secure 
access to the administration interface 208 independent of the network file access appliance 12, on receiving a firewall- 
inbound and outbound network interfaces 172, 192. filtered file data read request, exposes 282 and parses 284 the 
The software architecture 170 is preferably extended, as 60 network control information 114 against the policy rules and 
shown in FIG. 9, to provide additional security appliance- data 182, 184. Apolicy compliance failure is reported 286 by 
oriented features. The extended architecture 250 includes IP " ret "™ issuance of an NFS/CIFS appropriate reply network 
filter layers 252, 254 implementing firewall-type filtering for data packet. 

network connections made through the network interfaces Where the read request complies with the defined policy 

172, 192. A filter rules store 256 preferably maintains 65 requirements, the file related access control information is 

iptables-type specifications that define the IP addresses, optionally read 288 from the network storage resources 16 

network protocols, and internet ports permitted to pass to confirm existence of the file and evaluate applicable read 
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data permissions. Where the permissions check is performed and compression algorithm identifiers are computed and 

and fails, nonexistence of the file or inadequate permissions stored in the new file management header 226 along with 

are reported 286 without issuing the read file request to the computed CRC and signature values, 

network storage resources 16. The file meta-data, including The NFS/CIFS state machine 186 next provides for the 

the file management header 226 for the request target file, is 5 creation and issuance 332 of an NFS/CIFS create file request 

also read 288 from the network storage resource 16. A to the network storage resources 16 utilizing the directory 

block-aligned logical access block offset 290 and range 292 specification provided by the inbound create file request. For 

are determined and used to create and issue an outbound in-bond storage of the file management header 226, an 

read request directed to the network storage resources 16. NFS/CIFS file write request, containing the file management 

The read data offset is adjusted to account for the size of the 10 header 226, is then created and issued 334 to the network 

file management header 226 as stored at the beginning of the storage resources 16. Where a shadow meta-data file is 

file. Where the logical access blocks 224^ contain com- designated for use, an NFS/CIFS file create and write 

pressed data, file data reads of the LAB compression headers requests, the latter containing the file management header 

244 may be required to determine adjustments to both the 226, are created and issued 334 to the network storage 

read data offset and an encompassing read request range. 15 resources 16 to create the shadow file. Finally, an NFS/CIFS 

As the requested logical access blocks 224 A ^are received appropriate create file reply network data packet is returned 

294, error correction is applied 296, depending on whether to the client, 

the LAB ECC field 246 is present, decrypted 298 utilizing An NFS/CIFS write transaction 340, structured in accor- 
the key associated with the key name determined from the dance with a preferred embodiment of the present invention, 
key identifier field 234 of the file management header 226, 2 o is shown graphically in FIG. 12a. The write of file data to 
and decompressed 300, depending on whether the file man- an existing file in the network storage resources 16 uses a 
agement header 226 includes the compression option and read, modify, write procedure. An inbound write data request 
identifies a corresponding algorithm. The LAB digital sig- specifies an offset and range of write data 342 that is 
natures 242 are used to check the integrity of the retrieved provided in a transaction sequence of one or more network 
file data. A failure of the integrity check for any of the logical 2 5 file data packets. In most instances, the write request data 
access blocks 224 A .^ may result in a re-reading of some or will be unaligned to the logical access blocks 224 X _ N exist- 
all of the logical access blocks 224 A _ X , to protect against ing in the stored file. The file management header 226 and 
soft-errors, with persistent errors being ultimately reported any partially overlapped logical access blocks 224 A , 224y 
by the return issuance of an NFS/CIFS appropriate error are preemptively read 344, 346, 348, permitting the over- 
network data packet. Preferably, both soft and persistent 30 lapped logical access blocks 224 A , 224^ to be decrypted and 
errors are logged by the secure network file access appliance decompressed as required. An overlay of the inbound write 
12. Persistent errors, recognized through the operation of the data 342 with the block-aligned read data is then performed. 
NFS/CIFS state machine processing 186 of the inbound read The resulting block-aligned write data is then processed into 
request, are further preferably asserted against the policy logical access blocks 224 A .^ and written 350 in a write 
parser 180 for evaluation and subsequently issued 302 as a 35 transaction sequence of one or more network file data 
tampering alert message through the administrative interface packets to the network storage resources 16. 
208. Finally, as file data is received and processed in The preferred process 360 of performing an NFS/CIFS 
response to the outbound read request, the file data identified write request transaction is shown in FIG. 12b. The received 
in the inbound read request is assembled 304 into one or write file data request is received and processed 362 to 
more reply network file dat packets and returned. 40 expose the network control information 114. This informa- 

An NFS/CIFS create file transaction 310, as shown tion is then parsed 364 against the established policies 180, 

graphically in FIG. 11a, preferably operates to create a new 182, with any compliance failures being reported 386. The 

file containing a new file management header 226. As further network control information 114 is then further processed 

detailed in FIG. 11b, a create file request process 320 368 to identify the target file stored by the network storage 

initially exposes 322 and parses 324 the network control 45 resources 16, create and issue read requests to obtain the file 

information 114, with any policy compliance failures result- meta-data, including the file management header 226. The 

ing in the return issuance of an NFS/CIFS appropriate reply logical access block offset and range are then determined 

network data packet. Provided the file create request com- 370, 372, adjusting as needed for the presence of the file 

plies with the defined policy requirements, directory infer- management header 226 and compression of the logical 

mation is optionally read 328 from the network storage 50 access block 224 contained data. A file lock is asserted 

resources 16 to obtain the target file creation permissions. against the range logical access blocks 224 Aa .. The initial 

Where the permissions check is performed and fails, non- and terminal logical access blocks 224 A 224Ar are read 374 

existence of the target directory and inadequate permissions from the network storage resources 16, corrected 376 if the 

are reported 326 without asserting a create file request to the LAB ECC field 246 is present, decrypted 378, and decom- 

network storage resources 16. 55 pressed 380, as needed. Integrity failure errors are reported 

A file management header 226 is then created 330. 382. Data from the terminal logical access blocks 224 A , 
Through operation of the NFS/CIFS state machine process- 224^ are merged 384 with the write data 342 and the 
ing 186, the policy parser 180, based on the stored values combined data is resegmented 386, compressed 388 as 
provided from the policy data store 182, generates and appropriate, and encrypted 390. As applicable, LAB ECC 
provides the necessary values for the security parameter 60 values are computed and added 392 to the assembled 394 
index 230. In particular, the policy parser 180 preferably series of logical access blocks 224^.^. As the logical access 
associates encryption keys and compression choices against blocks 224 A .^ are assembled, one or more write network file 
directory specifications, including mount points. Thus, the data packets are constructed and sent to the network storage 
target location of the file to be created is utilized to deter- resources 16. Once the writing the logical access blocks 
mine whether encryption and compression are to be applied 65 224 A _ X has completed, the file lock is released, 
and the applicable key and algorithms for implementation. A Thus, a system and methods for establishing secure net- 
secure identifier based on the key name and compression work file access between users of distributed computer 
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systems and network-based storage systems has been 
described. In view of the above description of the preferred 
embodiments of the present invention, many modifications 
and variations of the disclosed embodiments will be readily 
. appreciated by those of skill in the art. It is therefore to be 5 
understood that, within the scope of the appended claims, 
the invention may be practiced otherwise than as specifically 
described above. 
What is claimed is: 

1. A network storage architecture supporting the secure 10 
access and transfer of data between a client computer system 
and a network data store, said network storage architecture 
comprising: 

a) an agent provided on a client computer system, wherein 
said client computer system supports execution of an 15 
application program including the issuance of a first file 
data request with respect to a predetermined network 
file, wherein said agent develops authentication data 
with respect to said application; 

b) a network data store providing for the storage of said 20 
predetermined network file; and 

c) a network appliance coupleable through a first network 
to said client computer system to receive said first file 
data request and through a second network to said 
network data store to provide a second read request, 25 
wherein said network appliance inte rope rates with said 
agent to receive and validate said authentication data to 
enable the generation of a second file data request 
corresponding to said first file data request, and 
wherein said network appliance is operative to transmit 30 
said second file data request to said network data store. 

2. The network storage architecture of claim 1 wherein 
said authentication data defines a session with respect to the 
execution of said application program and wherein said 
authentication data is provided to said network appliance 35 
with said first file data request. 

3. The network storage architecture of claim 2 wherein 
said authentication data includes a process identifier corre- 
sponding to said application program as executed on said 
client computer system. 40 

4. The network storage architecture of claim 3 wherein 
said authentication data includes a verified user identifier. 

5. The network storage architecture of claim 2 wherein 
said network appliance includes an encryption unit and 
wherein said network appliance provides for the encryption 45 
of file data transferred in connection with said second file 
data request. 

6. The network storage architecture of claim 5 wherein 
said network appliance provides for the storage of meta- 
data, including an encryption key identifier, in correspon- 50 
dence with said predetermined network file and wherein said 
network appliance provides for the retrieval of said meta- 
data selectively in connection with said first file data request. 

7. The network storage architecture of claim 6 wherein 
said network appliance includes an encryption key store and 55 
wherein said encryption key identifier selects an encryption 
key provided to said encryption unit in connection with said 
second file data request. 

8. The network storage architecture of claim 7 wherein 
said authentication data includes a process identifier, corre- 60 
sponding to said application program as executed on said 
client computer system, a verified user identifier, and a 
group identifier, wherein said network appliance further 
includes an access policy store which stores a plurality of 
predetermined access policies, and wherein said network 65 
appliance is operative to qualify said file data request against 
said plurality of predetermined access policies stored by said 
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access policy store with respect to said process identifier, 
verified user identifier, and group identifier. 

9. The network storage architecture of claim 8 wherein 
said first file data request is further qualified against said 
plurality of predetermined access policies in combination 
with an identification of said network data store. 

10. A network storage security appliance coupleable in a 
network infrastructure between a client computer system 
and a network storage system to authenticate and secure file 
system requests and data transferred thereinbetween, said 
network storage security appliance comprising: 

a) an authentication controller coupleable to communicate 
with an agent on a predetermined client computer 
system, said authentication controller being operative 
to receive and validate authentication data collected by 
said agent with respect to a predetermined application 
loaded for execution by said client computer system 
and wherein said predetermined application provides 
first file system requests directed to said network stor- 
age security appliance with respect to first file data; and 

b) a protocol processor coupled to said authentication 
controller and responsive to said first file system 
requests to provide second file system requests to a 
network storage system, said protocol processor pro- 
viding for a secure data protocol conversion between 
said first file data and a second file data transferred in 
connection with said second file system requests, 
wherein the secure data protocol of said second file data 
being transparent to said network storage system. 

11. The network storage security appliance of claim 10 
wherein said authentication controller is operative to selec- 
tively enable the operation of said protocol processor with 
respect to said second file system requests. 

12. The network storage security appliance of claim 11 
wherein said secure data protocol provides for the digital 
signing of said first file data. 

13. The network storage security appliance of claim 11 
wherein said secure data protocol provides for the encryp- 
tion of said first file data. 

14. The network storage security appliance of claim 13 
wherein said protocol processor includes an encryption key 
store providing for the storage of a plurality of encryption 
keys, and wherein said protocol processor is operative to 
autonomously associate a predetermined encryption key 
with said first file data. 

15. The network storage security appliance of claim 14 
wherein meta-data is associated with said second file data 
and wherein said protocol processor is responsive to said 
meta-data to select said predetermined encryption key from 
said encryption key store with respect to said second file 
data. 

16. The network storage security appliance of claim 15 
wherein said meta-data is stored by said network storage 
system in correspondence with said second file data. 

17. The network storage security appliance of claim 16 
wherein an individual instance of said meta-data is stored 
with respect to said second file data. 

18. The network storage security appliance of claim 17 
wherein said individual instance of said meta-data is stored 
as part of said second file data. 

19. A method of securing file data on a network storage 
device accessible to clients through a network, said method 
comprising the steps of: 

a) establishing a network portal through which network 
file accesses are routed between a predetermined client 
system and a network file data store; 

b) authenticating, supported by said network portal, net- 
work access by an application executed on said prede- 
termined client system with respect to said network file 
data store; 
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c) filtering, by said network portal, first network file 
requests provided by said predetermined client with 
respect to a predetermined network data file stored by 
said network file data store, said filtering step including 
evaluating authentication data provided with said first S 
network file requests as a qualifying basis for providing 
second network file requests to said network file data 
store; and 

d) processing, by said network portal, first network file 
data identified by said first network file requests to 10 
secure said first network file data as second network file 
data for transport between said predetermined client 
and said network file data store. 

20. The method of claim 19 wherein said processing step 
includes the autonomous digital signing of said second 15 
network file data as a plurality of logical blocks, wherein the 
digital signing of said second network file data is transparent 

to the storage of said second network file data by said 
network file data store. 

21. The method of claim 19 wherein said processing step 20 
includes the autonomous encrypting and decrypting of said 
second network file data as a plurality of logical blocks, 
wherein the encryption of said second network file data is 
transparent to the storage of said second network file data by 
said network file data store. 25 

22. The method of claim 19 wherein said authentication 
data includes network and IP layer control information and 
wherein said filtering step includes verifying said first net- 
work file requests based on said network and IP layer control 
information. 30 

23. The method of claim 22 wherein said processing step 
includes the autonomous encrypting and decrypting of said 
second network file data, including retrieval of an encryp- 
tion key identifier stored in association with said predeter- 
mined network data file, the encryption of said second 35 
network file data being transparent to the storage of said 
second network file data by said network file data store, said 
processing step further providing for the retrieval of an 
encryption key corresponding to said encryption key iden- 
tifier to enable encryption and decryption of said second 40 
network file data. 

24. The method of claim 23 wherein said encryption key 
is stored by said network portal. 

25. The method of claim 21 further comprising the step of 
selectively storing encryption key identifiers with network 45 
data files transparently with respect to said network store 
and wherein said step of processing includes associating said 
encryption key identifier with said encryption key to enable 
the autonomous encrypting and decrypting of said predeter- 
mined network data file. 
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26. A network file access appliance providing secure 
remote file-based access to an external data store, said 
network file access appliance comprising: 

a) first and second network interfaces couple able respec- 
tively to a client network and an external data storage 
network; and 

b) a network data processor coupled between said first and 
second network interfaces, said network data processor 
terminating a first network file access transaction across 
said first network interface and initiating a second 
network file access transaction across said second net- 
work interface, 

said network data processor including 

an authentication controller, responsive to access 
authentication data provided with said first network 
file access transaction, operative to validate said first 
network file access transaction with respect to a 
predetermined application program, and 

a protocol processor, responsive to said authentication 
controller, operative to convert the presentation of 
network file data between a first form transported in 
said first network file access transaction and a secure 
second form transported in said second network file 
access transaction. 

27. The network file access appliance of claim 26 wherein 
said authentication controller, responsive to authentication 
data provided with respect to said predetermined application 
program, is operative to establish a session context for 
validation of said first network file access transaction. 

28. The network file access appliance of claim 27 wherein 
said access authentication data includes a source IP and a file 
system mount point. 

29. The network file access appliance of claim 28 wherein 
said protocol processor includes a block encryption unit and 
wherein said protocol processor is operative to encrypt 
blocks of network file data transferred to said external data 
storage network and decrypt blocks of network file data 
received from said external data storage network. 

30. The network file access appliance of claim 29 wherein 
said first network file access transaction includes a target 
network file specification, wherein said network data pro- 
cessor includes a policy parser operative to associate pre- 
determined target file encryption parameters with said first 
network file access transaction based on said target network 
file specification, and wherein said network data processor is 
responsive to said target file encryption parameters in 
encrypting blocks of network file data transferred to said 
external data storage network. 

* * * * * 
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